<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <br>
    <div class="moz-cite-prefix">Am 05/19/2016 um 02:49 PM schrieb Larry
      Conklin:<br>
    </div>
    <blockquote
cite="mid:CABzD2JxQJ=8UNdwc=ibdgL0ymDUUfp1+JWuauTq47FF=jVkqjQ@mail.gmail.com"
      type="cite">
      <div dir="ltr"><font color="#000000" face="Times New Roman"
          size="3">
        </font>
        <p style="margin:0in 0in 8pt"><font face="Calibri"><font
              color="#000000" size="3">Johanna, I have to respectfully
              disagree. Yes, TM issues do
              exist. But that said I believe the issue is at times as a
              community we focus
              way too much of our time and effort on the downside of
              anything new or
              different. Bullet proof TM policies or not doesn’t prevent
              anyone from abusing
              our logos.</font></font></p>
      </div>
    </blockquote>
    <br>
    but it clearly states where our red line is and it gives us a legal
    leverage -- whether we use it or not.<br>
    <br>
    Cheers, Dirk<br>
    <br>
    <blockquote
cite="mid:CABzD2JxQJ=8UNdwc=ibdgL0ymDUUfp1+JWuauTq47FF=jVkqjQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <p style="margin:0in 0in 8pt"><font face="Calibri"><font
              color="#000000" size="3"> </font><span><font
                color="#000000" size="3"> </font></span><font
              color="#000000" size="3">The same issue is for ISC(2)
              which has badges. Coke Cola, Xerox, Kleenex have the
              strongest brands worldwide,
              with a huge cash pile and lawyers to protect them. They
              are also in some form
              of ligation everyday with people trying to abuse or
              encroach on their bands.
              Yes that is wrong but it’s not every going to prevent
              someone from trying. Isn’t
              the saying “imitation is the greatest complement”. </font></font></p>
        <font color="#000000" face="Times New Roman" size="3">
        </font>
        <p style="margin:0in 0in 8pt"><font color="#000000"
            face="Calibri" size="3">Also we as leaders did to be much
            more proactive. OWASP
            badges were no secret. We knew they were coming. We even had
            a debate on the
            logo style.</font></p>
        <font color="#000000" face="Times New Roman" size="3">
        </font>
        <p style="margin:0in 0in 8pt"><font color="#000000"
            face="Calibri" size="3">My points is still valid IMHO. We
            need to step back and breathe.
            Every new thing that OWASP tries doesn’t need to be wrap in
            a blanket of doom and
            gloom. Yes there is lots of things and need to change,
            things that need to be
            fixed. As a large community everyone is not going to work on
            everyone else’s
            priority projects and nothing is ever going to be perfect. </font></p>
        <font color="#000000" face="Times New Roman" size="3">
        </font>
        <p style="margin:0in 0in 8pt"><font color="#000000"
            face="Calibri" size="3">Second we as leaders to be more
            proactive, we need to have
            much more active discussion before an event and not
            afterwards. And we don’t
            need to address everything as if the world is falling down
            around us.</font></p>
        <font color="#000000" face="Times New Roman" size="3">
        </font>
        <p style="margin:0in 0in 8pt"><font color="#000000"
            face="Calibri" size="3">I apologize if your email and Dirk’s
            was not in that tone
            but that is how it came across to me. </font></p>
        <font color="#000000" face="Times New Roman" size="3">
        </font><span
style="line-height:107%;font-family:"Calibri",sans-serif;font-size:11pt"><font
            color="#000000">Larry Conklin </font></span></div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Wed, May 18, 2016 at 9:08 PM,
          johanna curiel curiel <span dir="ltr"><<a
              moz-do-not-send="true"
              href="mailto:johanna.curiel@owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:johanna.curiel@owasp.org">johanna.curiel@owasp.org</a></a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">me too<span>
                <div><br>
                </div>
                <div><span style="font-size:13px">Hi Larry,</span>
                  <div style="font-size:13px"><br>
                  </div>
                  <div style="font-size:13px">The problem is not the
                    supporter logo.</div>
                  <div style="font-size:13px"><br>
                  </div>
                  <div style="font-size:13px">The issue is the lack of a
                    TM and the lack of policies around the use of it,
                    that can trigger brand abuses. </div>
                  <div style="font-size:13px"><br>
                  </div>
                  <div style="font-size:13px">I just asked my husband
                    who is a lawyer and his opinion was that this should
                    have been done BEFORE not AFTER the launch.However
                    is not too late to provide a legal frameworks and
                    policies around it but is going to cost money to
                    find out.</div>
                  <span style="font-size:13px">
                    <div><br>
                    </div>
                    <div>>>However, a major policy change will not
                      likely occur before we've really thought this
                      through and had some legal advice</div>
                  </span>
                  <div style="font-size:13px">Exactly. I though this was
                    going to be launched when  this was defined
                    properly.</div>
                  <div style="font-size:13px"><br>
                  </div>
                  <div style="font-size:13px">regards</div>
                </div>
              </span></div>
            <div class="HOEnZb">
              <div class="h5">
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Wed, May 18, 2016 at 8:51
                    PM, Larry Conklin <span dir="ltr"><<a
                        moz-do-not-send="true"
                        href="mailto:larry.conklin@owasp.org"
                        target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:larry.conklin@owasp.org">larry.conklin@owasp.org</a></a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0px
                      0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
                      <div dir="ltr">Not sure why but I got a message
                        saying my original email failed.<span>
                          <div><br>
                          </div>
                          <div><span style="font-size:12.8px">I think we
                              need a new badge for doom and gloom. lol.
                              Come on folks. We are proud of what we do
                              at OWASP. We are proud of OWASP. We are
                              proud of what OWASP has accomplish in the
                              AppSec world. </span>
                            <div style="font-size:12.8px"><br>
                            </div>
                            <div style="font-size:12.8px">Why wouldn't
                              we want to show some love? This isn't
                              something new but it is an emerging
                              marketing tool. Today besides having an
                              OWASP badge and can get a badge from
                              ISC(2) for my CISSP certification. 
                              <div><br>
                              </div>
                              <div>I am not diluting ISC(2) brand, nor
                                am I diluting OWASP brand by using a
                                badge. only thing I would be doing is
                                showing my support in a visible way. Oh
                                yes I can also get a badge for Linux
                                Foundation CII.</div>
                            </div>
                            <div style="font-size:12.8px"><br>
                            </div>
                            <div style="font-size:12.8px">Yes we could
                              have a debate if badges really provide or
                              increase motivation or increase marketing.
                              That would be a good debate. But I haven't
                              read one thing that says badges decrease a
                              brand.</div>
                            <div style="font-size:12.8px"><br>
                            </div>
                            <div style="font-size:12.8px">Who is really
                              at fault. it's not like no one didn't see
                              this coming.  Dirk and Johanna your voice
                              would have been much better at the
                              beginning of this conversation and not at
                              the end IMHO. Take a moment, take a deep
                              breath. If you don't like the badge don't
                              use it.</div>
                          </div>
                          <div style="font-size:12.8px"><br>
                          </div>
                          <div style="font-size:12.8px">Larry Conklin</div>
                        </span></div>
                      <div>
                        <div>
                          <div class="gmail_extra"><br>
                            <div class="gmail_quote">On Wed, May 18,
                              2016 at 8:40 PM, Larry Conklin <span
                                dir="ltr"><<a moz-do-not-send="true"
                                  href="mailto:larry.conklin@owasp.org"
                                  target="_blank">larry.conklin@owasp.org</a>></span>
                              wrote:<br>
                              <blockquote class="gmail_quote"
                                style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
                                <div dir="ltr">I think we need a new
                                  badge for doom and gloom. lol. Come on
                                  folks. We are proud of what we do at
                                  OWASP. We are proud of OWASP. We are
                                  proud of what OWASP has accomplish in
                                  the AppSec world. 
                                  <div><br>
                                  </div>
                                  <div>Why wouldn't we want to show some
                                    love? This isn't something new but
                                    it is an emerging marketing tool.
                                    Today besides having an OWASP badge
                                    and can get a badge from ISC(2) for
                                    my CISSP certification. 
                                    <div><br>
                                    </div>
                                    <div>I am not diluting ISC(2) brand,
                                      nor am I diluting OWASP brand by
                                      using a badge. only thing I would
                                      be doing is showing my support in
                                      a visible way. Oh yes I can also
                                      get a badge for Linux Foundation
                                      CII.</div>
                                  </div>
                                  <div><br>
                                  </div>
                                  <div>Yes we could have a debate if
                                    badges really provide or increase
                                    motivation or increase marketing.
                                    That would be a good debate. But I
                                    haven't read one thing that says
                                    badges decrease a brand.</div>
                                  <div><br>
                                  </div>
                                  <div>Who is really at fault. it's not
                                    like no one didn't see this coming. 
                                    Dirk and Johanna your voice would
                                    have been much better at the
                                    beginning of this conversation and
                                    not at the end IMHO. Take a moment,
                                    take a deep breath. If you don't
                                    like the badge don't use it.</div>
                                  <span><font color="#888888">
                                      <div><br>
                                      </div>
                                      <div>Larry Conklin</div>
                                      <div><br>
                                      </div>
                                    </font></span></div>
                                <div>
                                  <div>
                                    <div class="gmail_extra"><br>
                                      <div class="gmail_quote">On Wed,
                                        May 18, 2016 at 7:12 PM, johanna
                                        curiel curiel <span dir="ltr"><<a
                                            moz-do-not-send="true"
                                            href="mailto:johanna.curiel@owasp.org"
                                            target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:johanna.curiel@owasp.org">johanna.curiel@owasp.org</a></a>></span>
                                        wrote:<br>
                                        <blockquote class="gmail_quote"
                                          style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
                                          <div dir="ltr"><span>
                                              <div><span
                                                  style="font-size:13px">>>To
                                                  make this clear: I
                                                  will rather swallow my
                                                  keyboard instead of
                                                  doing this. In fact I
                                                  am trying to fight
                                                  those </span><span
                                                  style="font-size:13px">cases
                                                  but to me it seems
                                                  that either nobody is
                                                  listening or OWASP
                                                  became a vendor driven
                                                  organization.</span><br>
                                              </div>
                                              <div><br>
                                              </div>
                                            </span>I share Dirk's
                                            concerns. 
                                            <div><br>
                                            </div>
                                            <div>This new supporter logo
                                              can cause more brand
                                              abuses because the uses of
                                              it  has not being properly
                                              defined. </div>
                                            <div><br>
                                            </div>
                                            <div>So far is a free for
                                              all, like Dirk said. This
                                              does not have yet a TM on
                                              it and it should have it
                                              first before going to
                                              promote it . Also specify
                                              in which cases can be
                                              used. Now it can be
                                              completely abused without
                                              OWASP being able to have
                                              any legal framework to
                                              avoid this.</div>
                                            <div><br>
                                            </div>
                                            <div> If anyone is following
                                              social media,  rumour has
                                              it OWASP is a vendor
                                              ground. </div>
                                            <div><br>
                                            </div>
                                            <div>I think I'm an OWASP
                                              supporter, I'm not
                                              benefiting financially on
                                              (ab)using the OWASP name
                                              cause in my country people
                                              even has no idea what
                                              OWASP is.  I assume those
                                              in US and EU can be more
                                              interest in (ab)use it.</div>
                                            <div><br>
                                            </div>
                                            <div>The problem is that it
                                              misleads people into think
                                              that OWASP has an
                                              'approval seal' on
                                              anything a vendor or
                                              individual does.</div>
                                            <div><br>
                                            </div>
                                            <div>Are we promoting more
                                              our 'vendor neutrality'
                                              with this? I don't think
                                              so. </div>
                                            <div><br>
                                            </div>
                                            <div>Now is a free for all.
                                              Good luck checking abuses.
                                              No legal framework right
                                              now for control.</div>
                                            <div><span
                                                style="font-size:13px"><br>
                                              </span></div>
                                          </div>
                                          <div class="gmail_extra">
                                            <div>
                                              <div><br>
                                                <div class="gmail_quote">On
                                                  Wed, May 18, 2016 at
                                                  6:41 PM, Dirk Wetter <span
                                                    dir="ltr"><<a
                                                      moz-do-not-send="true"
href="mailto:dirk@owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dirk@owasp.org">dirk@owasp.org</a></a>></span>
                                                  wrote:<br>
                                                  <blockquote
                                                    class="gmail_quote"
                                                    style="margin:0px
                                                    0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><br>
                                                    Hi all,<br>
                                                    <br>
                                                    I am not often
                                                    writing to the
                                                    leaders list. Time
                                                    has come though to
                                                    share concerns with
                                                    you.<br>
                                                    <br>
                                                    My trigger is the
                                                    new supporter logo
                                                    "strategy" which
                                                    became public today:<br>
                                                    <a
                                                      moz-do-not-send="true"
href="https://twitter.com/owasp/status/732921073025572864"
                                                      target="_blank"
                                                      rel="noreferrer"><a class="moz-txt-link-freetext" href="https://twitter.com/owasp/status/732921073025572864">https://twitter.com/owasp/status/732921073025572864</a></a><br>
                                                    <br>
                                                    I considered the
                                                    OWASP logo as our
                                                    core value. I
                                                    represents OWASP's
                                                    good<br>
                                                    standing. Lot of
                                                    people in the
                                                    community
                                                    contributed to build
                                                    up our reputation<br>
                                                    and -- as a
                                                    consequence -- to
                                                    our brand. That is
                                                    good. Most of the
                                                    contributors<br>
                                                    were altruistic.
                                                    That's how I
                                                    understand Open
                                                    Source.<br>
                                                    <br>
                                                    Now it looks to me
                                                    we are giving our
                                                    good standing away
                                                    instead of putting
                                                    strong controls<br>
                                                    at it. First
                                                    question: Why do we
                                                    need to do this? Is
                                                    this because we feel
                                                    the need to<br>
                                                    get more people to
                                                    OWASP and we are
                                                    somehow blindfolded
                                                    not able to<br>
                                                    look at the
                                                    consequences of a
                                                    logo distribution?
                                                    Or are there the
                                                    commercial interests
                                                    ruling here?<br>
                                                    <br>
                                                    <br>
                                                    Worse: the branding
                                                    guide  (<a
                                                      moz-do-not-send="true"
href="https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES"
                                                      target="_blank"
                                                      rel="noreferrer"><a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES">https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES</a></a>)<br>
                                                    is more or less
                                                    still the same. I
                                                    had some discussions
                                                    warning that we
                                                    should fix the bugs
                                                    in the branding
                                                    guide<br>
                                                    first before doing
                                                    this. Heck, we don't
                                                    even have a
                                                    trademark policy
                                                    yet, no legal
                                                    constraint [1]<br>
                                                    <br>
                                                    This is quite the
                                                    opposite as the
                                                    speaker agreement --
                                                    by the way.<br>
                                                    <br>
                                                    <br>
                                                    To go into detail
                                                    (attention, sarcasm)<br>
============================<br>
                                                    <br>
                                                    5. The OWASP Brand
                                                    may be used in
                                                    association with an
                                                    application security
                                                    assessment only if a
                                                    complete and
                                                    detailed
                                                    methodology,
                                                    sufficient to
                                                    reproduce the
                                                    results, is
                                                    disclosed.<br>
                                                    <br>
                                                    ==> Cool, OWASP
                                                    allows me to put
                                                    their logo on my
                                                    pentests. That
                                                    certainly sounds
                                                    good for my
                                                    costumers also if I<br>
                                                      present BS to him
                                                    (well, if I care, I
                                                    could describe the
                                                    complete and
                                                    detailed methodology
                                                    -- but who cares!
                                                    Nobody<br>
                                                      can control it as
                                                    my costumer will
                                                    certainly has no
                                                    interest to publish
                                                    my report with his
                                                    bugs)<br>
                                                    <br>
                                                    BTW: This could also
                                                    be applied for
                                                    tools.<br>
                                                    <br>
                                                    <br>
                                                    3. The OWASP Brand
                                                    may be used by OWASP
                                                    Members in good
                                                    standing to
                                                    acknowledge a
                                                    person's involvement
                                                    in or a company's
                                                    support of OWASP.<br>
                                                    <br>
                                                    ==> C00l. I edit
                                                    the wiki, change a
                                                    letter and I can use
                                                    the OWASP brand on
                                                    my website to
                                                    promote my business.<br>
                                                           Or I write a
                                                    mail to the leaders
                                                    list. Heck, in fact,
                                                    as I am on this
                                                    list, I made it and
                                                    can use the OWASP
                                                    logo everywhere!!!<br>
                                                    <br>
                                                    BTW: If a local
                                                    chapter has
                                                    corporate
                                                    sponsorships like
                                                    the global ones,
                                                    vendor XYZ purchases
                                                    this sponsorship<br>
                                                    for ten bucks,
                                                    getting a logo in
                                                    return and next
                                                    exhibition he puts
                                                    this as a sticker to
                                                    his WAF. W00t!<br>
                                                    <br>
                                                    <br>
                                                    1. The OWASP Brand
                                                    may be used to
                                                    direct people to the
                                                    OWASP website for
                                                    information about
                                                    application
                                                    security.<br>
                                                    2. The OWASP Brand
                                                    may be used in
                                                    commentary about the
                                                    materials found on
                                                    the OWASP website.<br>
                                                    <br>
                                                    ==> 1337! I can
                                                    still use the logo
                                                    on my commercial web
                                                    site. My idea is
                                                    here is to sell a
                                                    service or a
                                                    product. But<br>
                                                           if anyone
                                                    reads it of course I
                                                    will argue that I
                                                    only intended to
                                                    point to OWASP.<br>
                                                    <br>
                                                    <br>
                                                    Hopefully you got
                                                    the message without
                                                    feeling offended.<br>
                                                    <br>
                                                    To make this clear:
                                                    I will rather
                                                    swallow my keyboard
                                                    instead of doing
                                                    this. In fact I am
                                                    trying to fight
                                                    those<br>
                                                    cases but to me it
                                                    seems that either
                                                    nobody is listening
                                                    or OWASP became a
                                                    vendor driven
                                                    organization.<br>
                                                    <br>
                                                    <br>
                                                    As a consequence I
                                                    am afraid if we
                                                    don't agree on a
                                                    strong logo /
                                                    trademark policy we
                                                    are commercializing
                                                    more and more.<br>
                                                    Where is "my OWASP"
                                                    I used to love?<br>
                                                    <br>
                                                    <br>
                                                    Dirk<br>
                                                    <br>
                                                    <br>
                                                    <br>
                                                    [1] Even ISACA has
                                                    stronger usage rules
                                                    of their brand (not
                                                    talking about
                                                    materials!):<br>
                                                       <a
                                                      moz-do-not-send="true"
href="http://www.isaca.org/About-ISACA/Licensing-and-Promotion/Pages/IP-Guidelines.aspx#usageRules"
                                                      target="_blank"
                                                      rel="noreferrer"><a class="moz-txt-link-freetext" href="http://www.isaca.org/About-ISACA/Licensing-and-Promotion/Pages/IP-Guidelines.aspx#usageRules">http://www.isaca.org/About-ISACA/Licensing-and-Promotion/Pages/IP-Guidelines.aspx#usageRules</a></a><br>
                                                    <span><font
                                                        color="#888888"><br>
                                                        <br>
                                                        <br>
                                                        <br>
                                                        <br>
                                                        --<br>
                                                        German OWASP
                                                        Chapter Lead<br>
                                                        Send me
                                                        encrypted mails
                                                        (Key ID
                                                        0xB818C039)<br>
                                                        <br>
                                                        <br>
_______________________________________________<br>
                                                        OWASP-Leaders
                                                        mailing list<br>
                                                        <a
                                                          moz-do-not-send="true"
href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a></a><br>
                                                        <a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                                          target="_blank"
rel="noreferrer"><a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></a><br>
                                                      </font></span></blockquote>
                                                </div>
                                                <br>
                                                <br clear="all">
                                                <div><br>
                                                </div>
                                              </div>
                                            </div>
                                            <span><font color="#888888">--
                                                <br>
                                                <div>
                                                  <div dir="ltr">
                                                    <div>Johanna Curiel </div>
                                                    OWASP Volunteer</div>
                                                </div>
                                              </font></span></div>
                                          <br>
_______________________________________________<br>
                                          OWASP-Leaders mailing list<br>
                                          <a moz-do-not-send="true"
                                            href="mailto:OWASP-Leaders@lists.owasp.org"
                                            target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                          <a moz-do-not-send="true"
                                            href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                            target="_blank"
                                            rel="noreferrer">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                          <br>
                                        </blockquote>
                                      </div>
                                      <br>
                                    </div>
                                  </div>
                                </div>
                              </blockquote>
                            </div>
                            <br>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <br>
                  <br clear="all">
                  <div><br>
                  </div>
                  -- <br>
                  <div>
                    <div dir="ltr">
                      <div>Johanna Curiel </div>
                      OWASP Volunteer</div>
                  </div>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="999">-- 
German OWASP Chapter Lead
Send me encrypted mails (Key ID 0xB818C039)

</pre>
  </body>
</html>